Intermittent InvalidJwtError: Failed to parse session token error

[tryzens-manuraj]

Issue summary

Before opening this issue, I have:

• Upgraded to the latest version of the relevant packages
  • @shopify/* package and version:
  • Node version:
  • Operating system:
• Set { logger: { level: LogSeverity.Debug } } in my configuration, when applicable
• Found a reliable way to reproduce the problem that indicates it's a problem with the package
• Looked for similar issues in this repository
• Checked that this isn't an issue with a Shopify API
  • If it is, please create a post in the Shopify community forums or report it to Shopify Partner Support

Expected behavior

Shopify.Utils.decodeSessionToken should return a valid JWT payload

Actual behavior

Shopify.Utils.decodeSessionToken throws an InvalidJwtError on an Intermittent basis.

Package version used: 3.0.0
Node version: v16.17.0

What actually happens?

node:internal/process/promises:279
triggerUncaughtException(err, true /* fromPromise */);
^
InvalidJwtError: Failed to parse session token 'JWT TOKEN HERE': jwt expired
at InvalidJwtError.ShopifyError [as constructor] (/node_modules/@shopify/shopify-api/dist/error.js:13:28)
at new InvalidJwtError (/node_modules/@shopify/shopify-api/dist/error.js:39:42)
at decodeSessionToken (/node_modules/@shopify/shopify-api/dist/utils/decode-session-token.js:23:15)
at Object.getCurrentSessionId (/node_modules/@shopify/shopify-api/dist/auth/oauth/oauth.js:211:69)
at Object. (/node_modules/@shopify/shopify-api/dist/utils/load-current-session.js:19:46)
at step (/node_modules/tslib/tslib.js:144:27)
at Object.next (/node_modules/tslib/tslib.js:125:57)
at /node_modules/tslib/tslib.js:118:75
at new Promise ()
at Object.__awaiter (=node_modules/tslib/tslib.js:114:16)

Steps to reproduce the problem

It happens on Intermittent basis and we couldn't reproduced the issue in our testing. But it crashes the app.

Reference thread found in archived repository

1. InvalidJwtError: Failed to parse session token when using Shopify.Utils.loadCurrentSession shopify-api-js#137

[paulomarg]

Hi! Usually, this error might happen if the clocks between the client and server drift too much - we allow for a certain margin of error, but if the clocks are too far apart, we won't be able to verify the JWT. This is a security feature to prevent attackers from reusing old tokens for replay attacks.

Could you please check whether your server's time is accurate to see if that helps fix the issue?

[tryzens-manuraj]

Hi @paulomarg

Thanks for the response. The Invalid JWT error we have faced in an intermittent basis and difference in the servers' times would result in a constant problem.

Do you have any insight on why this happens on an intermittent basis?

[paulomarg]

Nothing that would cause an expiration date error to happen. That error happens when the token's exp claim is in the past as far as the server can see, i.e. the token is no longer valid.

Note that the token lasts for only a minute, and we have that grace period built into the check, which combined make for a window longer than the token's life where it can be used.

It might happen that the request happens at the edge of that window, and the clock difference might appear there. One thing that would be helpful is to tell how long ago the token expired when that happens. If you can catch that error and print out the token's payload we can see what the exp claim is compared to the current time in the server, that would help us see if there's nothing wrong with the token.

[github-actions]

We are closing this issue because we did not hear back regarding additional details we needed to resolve this issue. If the issue persists and you are able to provide the missing clarification we need, feel free to respond and reopen this issue.

We appreciate your understanding as we try to manage our number of open issues.